http://flink-forward.org/kb_sessions/flink-security-enhancements/
Recent security enhancements to Flink make it easy to access secure data and to protect the associated credentials. In this talk we’ll describe and demonstrate the new features, including Kerberos-based access to HDFS and Kafka, transport security (TLS), and service-level authorization which protects your Flink cluster from unauthorized access.
2. 2 of 11
New Security Features
1. Kerberos Authentication Support
2. Service-Level Authorization
3. Transport Security (SSL/TLS)
3. 3 of 11
Existing Capability
• Hadoop Delegation Token (DT)
• CLI usesKerberosto authenticateto HDFS
• HDFSprovidesa DT, which CLI passesto the Flinkcluster
• Clusteris ableto accessHDFSfilesonbehalfof theuser
• Limitations
• YARN mode only
• Not usefulto non-Hadoopservices,e.g. Kafka.
• Note: Still supported
TM
TM
DATA
AKKA
JM
CLI
WEB
BROWSER
KAFKA HDFSZK
HTTP
Flink
Cluster
delegation token
4. 4 of 11
Kerberos Authentication Support
• “Cluster-Level Kerberos Identity”
• Keytab-based
• Sharedby alljobs, notjob-specific
• Enables Kerberos authentication
• DataSourcesandSinks(HDFS,Kafka…)
• StateBackends(ZooKeeper…)
• Protects state data
• ACL onznodes,files
• Supported in standalone and YARN
deployment modes
TM
TM
DATA
AKKA
JM
CLI
WEB
BROWSER
KAFKA HDFSZK
HTTP
Flink
Cluster
keytab
5. 5 of 11
Service-Level Authorization
• “Restrict access to your Flink cluster”
• Protects all endpoints:
• Akka System(control path)
• Intra-ClusterDataTransfer
• WebUI
• BlobTransfer(JARs…)
• Simple shared secret
• Configuredor generated
• Storedonclient (~/.flink/…)
• Storedincluster
• Supported in standalone and YARN
TM
TM
DATA
AKKA
JM
CLI
WEB
BROWSER
KAFKA HDFSZK
HTTP
Flink
Cluster
keytab secret
6. 6 of 11
Transport-Level Security (SSL/TLS)
• “SSL for all connections”
• May be enabled on a per-endpoint basis
• WebUIis problematic
• Supported in standalone and YARN TM
TM
DATA
AKKA
JM
CLI
WEB
BROWSER
KAFKA HDFSZK
HTTPS
Flink
Cluster
keytab secret TLS cert(s)